b"                            U S. DEPARTMENT OF ENERGY\n                           OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                     MATTERS IDENTIFIED AT THE\n                 SAVANNAH RIVER OPERATIONS OFFICE\n         DURING THE AUDIT OF THE DEPARTMENT'S CONSOLIDATED\n               FISCAL YEAR 1998 FINANCIAL STATEMENTS\n\n\n\n The office of Inspector General wants to make the distribution of its reports as customer\nfriendly and cost effective as possible. Therefore, this report will be available electronically\n                       through the Internet at the following addresses:\n\n           Department of Energy Management and Administration Home Page\n\n                                  http://www.hr.doe.gov/ig\n\n                                              or\n\n                                   http://www.ma.doe.gov\n\n\n  Your comments would be appreciated and can be provided on the Customer Response\n                           Form attached to the report.\n\n\n\n\nReport Number: ER-FS-99-03                                    Eastern Regional Audit Office\nDate of Issue: May 1999                                       Oak Ridge, TN\n\x0c            MATTERS IDENTIFIED AT THE\n        SAVANNAH RIVER OPERATIONS OFFICE\nDURING THE AUDIT OF THE DEPARTMENT'S CONSOLIDATED\n      FISCAL YEAR 1998 FINANCIAL STATEMENTS\n\n\n\n                 TABLE OF CONTENTS\n\n                                                             Page\n\n         OVERVIEW\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 .          1\n\n         Introduction and Objective\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6    1\n\n         Scope and Methodology\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6        1\n\n         Observations\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 ..     2\n\n         DETAILS OF OBSERVATIONS \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6            3\n\x0c                                            OVERVIEW\n\n\nINTRODUCTION AND OBJECTIVE\n\n        The Government Management Reform Act of 1994 requires that audited financial\nstatements covering all accounts and associated activities of the Department be submitted annually\nto the Office of Management and Budget. A Departmentwide audit of the consolidated Fiscal\nYear (FY) 1998 financial statements was conducted by examining internal controls, assessing\ncompliance with laws and regulations, evaluating accounting transaction cycles, and testing\nselected account balances at various Department facilities.\n\n        The objective of the Departmentwide audit was to determine whether the Department\xe2\x80\x99s\nconsolidated financial statements presented fairly, in all material respects, the financial position of\nthe Department as of September 30, 1998 and 1997, and its consolidated net cost, changes in net\nposition, budgetary resources, financing activities, and custodial activities for the fiscal years then\nended in conformity with Federal accounting standards. Departmentwide issues are addressed in\nAudit Report No. IG-FS-99-01, issued February 25, 1999.\n\n       The purpose of this report is to inform Savannah River Operations Office's (Savannah\nRiver) management concerning matters that came to the attention of the Office of Inspector\nGeneral during the audit at Savannah River and Westinghouse Savannah River Company\n(Westinghouse). Savannah River is responsible for the account balances entered into the\nDepartment\xe2\x80\x99s core accounting system (DISCAS).\n\nSCOPE AND METHODOLOGY\n\n       The audit was conducted from May 1998 through January 1999 at Savannah River and\nWestinghouse. Specifically, we examined internal controls, assessed compliance with applicable\nlaws and regulations, and selectively tested account balances reported to Departmental\nHeadquarters as necessary to achieve the Departmentwide audit objective.\n\n         Audit work was performed in accordance with generally accepted Government auditing\nstandards for financial audits. Since we relied on computer-generated data, we evaluated the\ngeneral and application control environment of certain financial systems and evaluated the\nreliability of the data on a test basis.\n\n        Because the audit was limited, it would not necessarily disclose all the internal control\nweaknesses that may have existed. Furthermore, because of inherent limitations in any system of\ninternal controls, errors or irregularities may occur and not be detected. The issues addressed in\nthis report represent our observations of activities through the end of fieldwork on\nJanuary 5, 1999. Projections of any evaluation of the internal controls to future periods is subject\nto the risk that procedures may become inadequate because of changes in conditions or the\neffectiveness of the design and operation of policies and procedures may deteriorate.\n\n\n\n\n                                                   1\n\x0c        In addition to the audit work conducted by the Office of Inspector General, Westinghouse\ninternal audit personnel reviewed the payroll cycle at Westinghouse. The results of the internal\naudit work were reported separately through internal audit\xe2\x80\x99s normal reporting process. Also, an\nindependent public accounting firm reviewed Nuclear Materials Inventories, Pension and Other\nPost-Retirement Liabilities, Disbursements, and Finance.\n\n        The Office of Inspector General considered all findings generated as a result of these\nreviews when preparing the audit report on the Department\xe2\x80\x99s consolidated FY 1998 financial\nstatements (Audit Report No. IG-FS-99-01) and the management report referred to in that report.\nThe Office of Inspector General is addressing issues requiring local management attention in this\nreport.\n\n       Savannah River management waived the exit conference.\n\n\nOBSERVATIONS\n\n        At Savannah River and Westinghouse, we observed weaknesses in internal controls for\ncomputer systems, year-end reconciliation procedures, and active facility remediation data.\nSpecifically, we found that although Westinghouse had implemented policies, procedures, and\nphysical controls to protect computer programs and data files, certain vulnerabilities existed on\nselected systems and devices. We also found that certain discrepancies in year-end financial data\nwere not detected and square footage information supporting the accrued liability for remediation\nof active facilities was inconsistent. We recommend that internal controls be strengthened in these\nareas. In addition, we observed that Savannah River had inadvertently excluded two segments\nfrom its allocation of indirect costs.\n\n        Management generally concurred with the findings and recommendations and has agreed\nto take corrective action.\n\n       Details of the observations and management's response start on page 3.\n\n\n                                                     _________(Signed)______\n                                                     Office of Inspector General\n\n\n\n\n                                                2\n\x0c                                DETAILS OF OBSERVATONS\n\n\n1.     Site Computer Network\n\n        Westinghouse relies heavily on computer resources, including its computer network\n(SRSNET), to carry out its mission. The SRSNET consists of local area networks for operational\nand administrative functions. Federal and Departmental directives require that procedures be\ndeveloped and implemented to prevent misuse and abuse of unclassified computer resources.\nThese procedures should include access controls, such as passwords and user identifications, to\nprotect these resources from unauthorized modification, loss, or disclosure. These procedures\nshould also include practices to authorize, monitor, and review user access.\n\n        We reviewed the automated system security control environment for SRSNET and\nselected devices including information systems that process financial data for preparation of the\nDepartment\xe2\x80\x99s financial statements. We found that although Westinghouse had implemented\npolicies, procedures, and physical controls to protect computer programs and data files, certain\nvulnerabilities existed on selected systems and devices. This condition resulted because\nWestinghouse had not implemented sufficient controls to prevent unauthorized access to selected\nsystems and devices. As a result, there is an increased risk of unauthorized access to the\nSRSNET.\n\nRecommendation\n\n       We recommend that the Manager, Savannah River Operations Office, direct Westinghouse\nto improve security controls for accessing its computer network.\n\nManagement Response\n\n        Management generally agreed with the finding and recommendation and indicated that\naction had been taken to address the finding and prevent recurrences.\n\nAuditor Comment\n\n       The comments provided are responsive to the intent of our recommendation.\n\n\n\n\n                                                3\n\x0c2.     Year End Reconciliations\n\n        The Department\xe2\x80\x99s Accounting Handbook states that each field element independently\nmonitors and controls the activities that affect their accounts. To ensure the accuracy of the\nDepartment\xe2\x80\x99s financial data, each operations/field office needs to assess the reliability and\naccuracy of the financial data reported by the Department for their office. We observed instances\nwhen Savannah River did not detect that the totals recorded in DISCAS were not in agreement\nwith the amounts reported in the financial statements produced by the Headquarters MARS-based\nsystem. Specifically, for account 3896 - Funded Environmental Liabilities, DISCAS recorded\nthe FY 1998 balance as $135 million and the MARS-based system reported the balance as $289\nmillion, a difference of $154 million. For account 3996 -Environmental Liabilities, DISCAS\nrecorded the FY 1998 balance as $28,255 million and the MARS-based system reported the\nbalance as $28,759 million, a difference of $504 million. Savannah River had not performed a\nreconciliation between the DISCAS trial balance and the amounts reported in the financial\nstatements produced by the Headquarters MARS-based system. As a result, Savannah River did\nnot notify Headquarters that the financial statement data produced by the MARS-based system\nwere inaccurate.\n\nRecommendation\n\n       We recommend that the Manager, Savannah River Operations Office, incorporate into the\nannual year-end process the reconciliation of the DISCAS trial balance with the financial\nstatement data produced from the MARS-based system.\n\nManagement Response\n\n        Management concurred with the recommendation and agreed to establish a year-end\nclosing routine that would require reconciliations of the generated financial statements to the\nDISCAS trial balance.\n\nAuditor Comment\n\n       Management\xe2\x80\x99s action was responsive to the finding and recommendation.\n\n\n\n\n                                                 4\n\x0c3.     Remediation of Active Facilities\n\n\n        The Department\xe2\x80\x99s accrued liability for active facilities represents anticipated remediation\ncosts for facilities that are conducting ongoing operations but will ultimately require stabilization,\ndeactivation, and decommissioning. The field offices provide Departmental Headquarters with\nestimated data detailed by facility type and footprint (number of floors and square footage). From\nthis data, the Department generates its accrued liability for remediation of active facilities. As of\nSeptember 30, 1998, the Department\xe2\x80\x99s accrued liability for active facilities was about $20 billion.\n\n         Savannah River used its Facility Information Management System (FIMS) to develop the\nactive facility data provided to Headquarters. While verifying the square footage used to develop\nthe data, we found several databases that contained inconsistent square footage information. As a\nresult, there is an increased risk of misstatements in the Department\xe2\x80\x99s active facility liability.\n\nRecommendation\n\n        The Manager, Savannah River Operations Office, should institute internal controls to\nensure that square footage data is accurate and consistent.\n\n\nManagement Response\n\n         Management concurred with the recommendation and stated that a management task team\nis developing methodology to insure that a single database feeds facility information to all affected\nsite systems.\n\nAuditor Comment\n\n       The planned action is responsive to the intent of the recommendation.\n\n\n\n\n                                                  5\n\x0c4.     Allocation Of Indirect Costs\n\n        In its FY 1998 allocation of indirect costs, Savannah River inadvertently excluded two\nresponsibility segments from its calculation. In one case, costs of about $31.5 million for\nresponsibility segment 08940 (\xe2\x80\x9cOther Programs\xe2\x80\x9d) were not allocated to other responsibility\nsegments. In the other case, costs of about $5.6 million for budget and reporting code WN were\nnot included in the cost allocation base. As a result, the allocation of indirect costs was\ninaccurate.\n\nRecommendation\n\n        We recommend that the Manager, Savannah River Operations office, revise the indirect\ncost allocation to include the two segments that had been omitted.\n\nManagement Response\n\n        Management concurred with the finding and recommendation. The FY 1998 managerial\ncost allocation was revised and resubmitted to Departmental Headquarters in December 1998.\n\nAuditor Comments\n\n        Management\xe2\x80\x99s action was responsive to the finding and recommendation and no further\naction is required.\n\n\n\n\n                                               6\n\x0c                                                              IG Report No. ER-FS-99-03\n\n\n\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers'\nrequirements, and therefore ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n       1.      What additional background information about the selection,\n               scheduling, scope, or procedures of the audit or inspection would\n               have been helpful to the reader in understanding this report?\n\n       2.      What additional information related to findings and\n               recommendations could have been included in this report to assist\n               management in implementing corrective actions?\n\n       3.      What format, stylistic, or organizational changes might have made this\n               report's overall message more clear to the reader?\n\n       4.      What additional actions could the Office of Inspector General have taken\n               on the issues discussed in this report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we\nhave any questions about your comments.\n\nName ____________________________ Date_____________________\n\nTelephone _______________________ Organization_____________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General\nat (202) 586-0948, or you may mail it to:\n\n       Office of Inspector General (IG-1)\n       U.S. Department of Energy\n       Washington, D.C. 20585\n       ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\n\n\n\n                                                 7\n\x0c8\n\x0c"